[Snort-sigs] Sigs for QAZ trojan/worm

Joe Stewart jstewart at ...5...
Mon Oct 30 17:45:23 EST 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are some sigs to detect the infamous QAZ trojan/worm.

alert tcp any 110 -> $HOME_NET any (msg:"LURHQ-01 - VIRUS - Possible Incoming 
QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|";)  

alert tcp any any -> any 139 (msg:"LURHQ-02 - VIRUS - Possible QAZ Worm 
Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|";)  

alert tcp any any -> $HOME_NET 7597 (msg:"LURHQ-03 - BACKDOOR SIGNATURE - QAZ 
Worm Client Login Detected"; flags:PA; content: "|71 61 7a 77 73 78 2e 68 73 
71|";)

- -Joe

- -- 
Joe Stewart
Information Security Analyst 
LURHQ Corporation
==========================>
843-347-1075 ext. 303
jstewart at ...5...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjn9+goACgkQkbW2pYIjPYgAeACdE+UFeY6nvOutXsSQR2aAWZeZ
RcoAmwZ1Et/VDledu/ZPDbFqVIMGGOzO
=ZUVL
-----END PGP SIGNATURE-----



More information about the Snort-sigs mailing list